about quttera malware scan report

Understanding website security report by Quttera


In order to identify whether, retrieved during URL request, files (hosted on website or any other location) impose any threat to the user or not we scan them with Quttera malicious content detection engine. The engine runs on each file performing in-depth byte-by-byte analysis to get the most precise evaluation of its potential maliciousness.

The output of an analysis is then presented in the Scanned files analysis section of the detailed report(e.g. detailed report). It is built from standard blocks with fields containing info gathered while running the malware scan job:

  • File name: - name of the scanned file
  • Severity: - level of maliciousness(see below for explanation)
  • Reason: - reason for detection
  • Details: - details of detection
  • Offset: (if applicable) - at which offset the malicious code is detected
  • Threat dump: (if applicable) - the snapshot of the suspicious area
  • File size[byte]: - size of the file in bytes
  • File type: - type of the scanned file
  • MD5: - file signature
  • Scan duration[sec]: - time it took to complete the file scan

While reviewing the exploit detection engine output we understood that it would be difficult for regular internet user to understand the technical details and the detection status. To make things easier it was decided to categorize the scan results into several groups - Severities. There are four(4) groups arranged in accordance to the level of maliciousness of each detection in group. The constraints were not to create too many groups but to give an average user a clear picture on what's behind the code and how dangerous it might be.

This scheme is constantly developing and changes will occur as we analyse feedbacks and fixing bugs. Currently, the general classification of threat Severity statuses is as follows:

  • S1."Clean" - No suspicious elements found.
  • S2."Potentially suspicious" - Detected elements or procedures that can be used(or commonly used) in suspicious activities.

    Some examples -

    Details: Detected abnormal use of [iframe] elements.
    It is detected because, investigated page contains huge number of iframe elements .Such page may not serve malware purposes but we think that user should be alarmed in any case and then review each one to make his final decision whether to visit such website or not. Alternatively, our team are ready to answer any question or query via contactus@quttera.com
    Details: Detected unconditional redirection to external web resource.
    It is detected because, for example an HTTP level redirection can be used to land user that wanted to visit a certain URL in other web location that host malware.
  • S3."Suspicious" - High risk of malicious activity.

    Some examples -

    Details: High risk of security weakness exploit.
    One of the reasons for such detection is when the file contains executable instructions that may be used to decrypt hidden shell-code.
    Details: Modified PDF format.
    Detected PDF document which is malformed and might be used to exploit the PDF reader security vulnerability. Of course the file may be simply corrupted for any other reasons, hence assigned "Suspicious" Severity.
  • S4."Malicious" - Detected security weakness exploit or known malicious content. The file is dangerous. Technically, all of the detections having this Severity level are imposing the highest threat to the user. Thus the websites containing such files should be avoided. (e.g. detected PDF with embedded known malware. Implications - if user opens it in Adobe Reader or the file automatically opens in the browser reader plugin, then the targeted device will be attacked.)

As a general safety rule, all files in the range of S2-S4 should alert your attention. If you don't trust the website that hosts these files you should think again before visiting it.